partial recall

WordPress Vulnerability

11.08.2005.

WordPress and Secunia reported on August 9 that there is a critical security vulnerability in WordPress 1.5.1.3. I can attest to that.

Yesterday I had a very important presentation to give as part of my graduation requirement for grad school. My presentation was entitled “Don’t Get Caught in the Web: Using a website to enhance small business opportunity.” Part of the presentation involved a demo of a live website that I created for my wife’s private practice.

2.5 hours before the presentation, I casually checked the site from work and was presented with a page that read, “Account suspended. Please contact support/billing immediately.” What?! After 52 minutes waiting on the customer service line with my webhost, I was told that they do not provide support over the phone. Instead, I needed to use the form submission to communicate support requests via email. Aarrgghh! Now about 1.5 hours before showtime.

I did use the submission form and received a reply more quickly than I anticipated. My provider suspended my account because they thought I had introduced a malicious IRC bot onto my own webspace. Sorry, I’m not that technically inclined, just enough to install WordPress and to customize it for my liking.

Long story short, a hacker infiltrated my webspace through a vulnerability in WordPress 1.5.1.3. It appears a patch may be available to close this vulnerability, but thankfully, my webhost support contact made a file change on my space to hopefully plug this security hole.

Fortunately, the presentation went off without a hitch and I could access the website. After two more weeks of a summer school class, I will be done with my program. In retrospect, I realize that perhaps I need to use a stricter password for my WordPress account. Security has become a serious issue, folks, and yesterday it became that much more personal to me.

Update

On August 14, WordPress 1.5.2 was released to address these security issues.